I am using a .NET application, in which there is a feature
to upload files (.doc .xls) onto the server. How do I ensure
that the end user is uploading only permitted file type(s) &
not files containing any malicious code which can lead to
the compromise of the server? Please suggest security
measures that should be taken to avoid any such unwanted
upload.
=20
=20
=20
Regards
=20
Usman
=20
=20
--=20
"This e-mail message may contain confidential, proprietary or legally privi=
leged information. It=20
should not be used by anyone who is not the original intended recipient. If=
you have erroneously=20
received this message, please delete it immediately and notify the sender. =
The recipient=20
acknowledges that ICICI Bank or its subsidiaries and associated companies, =
(collectively "ICICI=20
Group"), are unable to exercise control or ensure or guarantee the integrit=
y of/over the contents of the information contained in e-mail transmissions=
and further acknowledges that any views=20
expressed in this message are those of the individual sender and no binding=
nature of the message shall be implied or assumed unless the sender does s=
o expressly with due authority of ICICI Group.Before opening any attachment=
s please check them for viruses and defects."=20

We are excited to provide details of the next OWASP NYC Meeting that will
be taking place at PricewaterhouseCoopers 300 Madison Ave (BETWEEN EAST
41ST AND E. 42nd St.)on Wednesday, September 28th from 6PM - 9PM. It
promises to be a full program with 2 experts in their fields, as well as
all of your participation.
Please RSVP to peter.stern@...
PROGRAM WILL INCLUDE THE FOLLOWING 2 PRESENTATIONS:
-------------------------------------------------------------------------
FEISAL NANJI (Ernst & Young) will speak on the Value of the SDLC within
Application Security
Understanding security vulnerabilities within the context of the SDLC
involves a variety of assessment techniques including threat models,
design reviews, security tests, and code reviews. Since enterprise
software development is a complicated undertaking, tools that help in
automating the discovery, analysis, reporting, and remediation of security
vulnerabilities are central to security process development and security
assessment. The presentation provides a description of processes and the
necessary tools to significantly improve security while applications are
being developed.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PETER GIEN (Secure Software) will speak on Bringing Developers to the
Water and Making them Drink
Regulatory and legal forces are driving coding standards and practices in
large enterprises, particularly financial institutions. Some
financial institutions are meeting this challenge by developing Control
Standards that govern the development of critical software. In addition,
security has become an important activity through all phases of the SDLC.
Finally, compliance with Control Standards is now being forced by policy
driven, automated analysis of source code. Many institutions are adopting
frameworks for authentication, authorization and role-based access
control. In these cases, we are finding that significant levels of
vulnerability exist in the frameworks themselves, no matter if they are
internally developed or based on Open Source. In this talk we will give
examples of Control Standards that can be enforced through
automated analysis, as well as some examples that still have to be done
the old-fashioned way in a code review. We will also present a summary of
the automated analysis of some popular Open Source frameworks (Java and C)
========================================================================
BIOS:
PETER GIEN
Peter Gien is a Principal Consultant at Secure Software Inc. where he is
engaged in helping large financial institutions improve their SDLC through
education of project teams in all matters of security, and in particular
through the strategic deployment of automated code-scanning technology.
Prior to joining Secure Software, Peter worked for Microsoft Corporation
in the National Practices as a security and PKI expert. During his tenure
at Microsoft, Peter was involved in many PKI
consulting engagements with Fortune 100 companies and government
agencies. Before Joining Microsoft, Peter was employed at Identrus, a
global banking PKI consortium. Peter authored the Identrus Smart Card
Requirements and Digital Signature specifications.
In spite of holding a Ph.D in Aerospace Engineering, Peter has enjoyed a
technical career involving computers from the 8088 era onwards.
FEISAL NANJI
Senior Manager, Security and Technology Solutions (STS)
Feisal has 18 years of experience in Information Technology markets,
specifically in Software, Hardware, Semiconductors, and Information
Delivery. At Ernst & Young He leads Ernst & Youngs Application Security
Advisory (ASA) service line focused on helping clients improve security
within the software development lifecycle. He is responsible for process
methodology, client delivery, and adoption of new technologies. At Ernst &
Young, Feisal has worked on numerous security assignments for global
banks, investment houses, telecommunications firms, and media companies
focusing on application security, corporate governance, and security
policy development.
Prior to Ernst & Young, he was Vice President of Business Development at
Primeon Inc, an Application Security Specialist, where he was responsible
for revenue generation targeting Wall Street and developing technology
alliances. Feisal also has extensive experience in software development as
Product Manager of Software at Berkeley Process Control, where he was
responsible for product strategy. He has also served in the role of
Director of Research at Devonshire Partners, as well as Director of
Research at Skow Inc. where he was an investment analyst focusing on
information technology.
At Skow, Inc. Feisal was instrumental in helping launch Vermeer
Technologies, creator of FrontPage software that was eventually purchased
by Microsoft Corporation for inclusion into its Office suite.
Education, Certifications and Affiliations
Feisal has a Masters in Public Policy from Harvard and is a Certified
Information Systems Security Professional (CISSP).
===========================================================================
We look forward to seeing everyone!!!

As today's temperature peaks near 100 degrees; it makes sense to think
about the coolest place to be on Wednesday, September 28th. OWASP NYC
Chapter is still putting the finishing touches on the program, but you can
be sure it will be a great chance to learn, network and share information.
Our plans will be for the meeting to be hosted by:
PricewaterhouseCoopers
300 Madison Ave (BETWEEN EAST 41ST AND E. 42nd St.)
6PM - 9PM
ENJOY THE REST OF THE SUMMER & LOOK FOR FURTHER DETAILS SHORTLY!